You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
I use Concourse with HashiCorp Vault as a credential manager. Caching is enabled with CONCOURSE_SECRET_CACHE_ENABLED=true.
My Vault server is configured with several secrets engines, including the aws engine. This engine is configured to provide STS assumed role credentials good for 15 minutes.
I recently upgraded Vault from v1.12.3 to v1.13.0, which changed the behavior of this engine to not generate leases for STS credentials: hashicorp/vault#15869
With this change, the lease_duration returned from this request is set to 0, rather than the actual TTL of the credentials.
Concourse only ever retrieves the secret once and then continues using it until ATC is restarted. It's unclear if this is intentional.
Summary
I use Concourse with HashiCorp Vault as a credential manager. Caching is enabled with
CONCOURSE_SECRET_CACHE_ENABLED=true
.My Vault server is configured with several secrets engines, including the
aws
engine. This engine is configured to provide STS assumed role credentials good for 15 minutes.I recently upgraded Vault from v1.12.3 to v1.13.0, which changed the behavior of this engine to not generate leases for STS credentials: hashicorp/vault#15869
With this change, the
lease_duration
returned from this request is set to0
, rather than the actual TTL of the credentials.Concourse only ever retrieves the secret once and then continues using it until ATC is restarted. It's unclear if this is intentional.
Steps to reproduce
Download and start up Vault 1.13.0.
Configure Concourse to use the Vault server, and start it up.
Configure Vault to provide AWS STS credentials.
Log in to Concourse and run a task that uses the credentials.
Expected results
New credentials are used for each build, as the
watch
interval is the same as the Concourse secret cache duration.Actual results
The first set of credentials is used until ATC is restarted.
Additional context
This is the raw JSON output from Vault 1.12.4 for
vault read concourse/main/sts/my-role
:This is the JSON output from Vault 1.13.0:
Triaging info
The text was updated successfully, but these errors were encountered: